Cisco 3.3 User Manual

Page 613

Advertising
background image

15-3

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 15 Unknown User Policy

Known, Unknown, and Discovered Users

Cisco Secure ACS does not support failover authentication. If
authentication fails with the database that the user is associated with,
Cisco Secure ACS uses no other means to authenticate the user and
Cisco Secure ACS informs the AAA client of the authentication failure.

Posture validation—Cisco Secure ACS always uses the Unknown User
Policy to determine which Network Admission Control (NAC) database
to use for a posture validation request. For more information, see

Posture

Validation and the Unknown User Policy, page 15-10

.

Unknown Users—Users who do not have a user account in the CiscoSecure
user database. This either means that the user has not received authentication
or posture validation services from Cisco Secure ACS or that the user account
was deleted. Cisco Secure ACS handles authentication and posture validation
requests for unknown users as specified by your configuration of the
Unknown User Policy.

Authentication—For details about unknown user authentication, see

General Authentication of Unknown Users, page 15-5

.

Posture validation—Cisco Secure ACS always uses the Unknown User
Policy to determine which NAC database to use for a posture validation
request. For more information, see

Posture Validation and the Unknown

User Policy, page 15-10

.

Discovered Users—Users whose accounts Cisco Secure ACS created in the
CiscoSecure user database after successful authentication or posture
validation using the Unknown User Policy. All discovered users were
unknown users. When Cisco Secure ACS creates a discovered user, the user
account contains only the username, a Password Authentication list setting
that reflects the database that provided authentication or posture validation
service for the user, and a “Group to which the user is assigned” list setting
of Mapped By External Authenticator, which enables group mapping. Using
the Cisco Secure ACS HTML interface or RDBMS Synchronization, you can
further configure the user account as needed. For example, after a discovered
user is created in Cisco Secure ACS, you can assign user-specific network
access restrictions to the discovered user.

Note

Cisco Secure ACS does not import credentials (such as passwords,
certificates, or NAC credential types) for a discovered user.

Advertising
Popular Brands
Popular manuals